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I 

The trend for many years as space platforms have become more complex has been to 
oversense these systems, to anticipate unforeseen fault modes and sensor failures. 
However, this strategy becomes untenable when the amount of sensor data becomes 
too great for operators to assimilate and interpret, and when the cost, launch weight, 
and power consumption of too many sensors becomes unacceptable. 

On Space Station Freedom (SSF), design iterations have made clear the need to 
keep the sensor complement small. Along with the unprecedented duration of the 
mission, it is imperative that decisions regarding placement of sensors be carefully 
examined and justified during the design phase. 

In the ECLSS Predictive Monitoring task, we are developing Al-based software 
to enable design engineers to evaluate alternate sensor configurations. Based on 
techniques from model-based reasoning and information theory, the software tool 
makes explicit the quantitative tradeoffs among competing sensor placements, and 
helps designers explore and justify placement decisions. This work is being applied 
to the Environmental Control and Life Support System (ECLSS) testbed at MSFC to 
assist design personnel in placing sensors for lest purposes to evaluate baseline 
configurations and ultimately to select advanced life support system technologies for 
evolutionary SSF. 
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BACKGROUND 


JPL is conducting research on advanced monitoring systems which maximize 
feedback of engineering information from complex, dynamic space systems where 
human and computational resources are constrained. This work has impact upon 
both real-time monitoring (sensor selection) and system design (sensor placement). 

MSFC and Boeing contractors are working on fault detection, isolation, and 
recovery (FDIR) for SSF ECLSS and are performing tests on and evaluating designs 
for SSF ECLSS hardware. 

The ECLSS Predictive Monitoring task will transfer results on real-time monitoring 
capabilities and sensor placement guidance from work on the SELMON system at JPL 
to MSFC to support ECLSS testbed activities addressing SSF baseline and evolutionary 
requirements. 
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ECLSS Predictive Monitoring task 

sensor placement guidance during system design 

and sensor selection for real-time monitorinq 


PROBLEM 


Sensor placement is the task of determining a set of sensors which allows the most 
accurate, safe, and reliable determination of the overall state of a monitored system 
while minimizing sensor power consumption, cost, computing power requirements, 
and weight. Reducing these quantities is particularly important in space-borne 

systems due to power and payload restrictions. In complex systems, this minimization 

task can be quite difficult. 
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in complex systems (SSF ECLSS), minimization is difficult 


OBJECTIVE 


The objective of this project is twofold: Current work is aimed at providing ECLSS 

design engineers with software tools for evaluating alternative baseline SSF sensor 
placements. More specifically, to assist ECLSS designers in verifying that proposed 
baseline sensor configurations ensure safe, reliable monitoring while minimizing 
power, weight, computing requirements, and monetary cost. For evolutionary SSF, 
automated sensor placement will facilitate the utilization of advanced life support 
technologies (e.g. closed-loop regenerative life support) with more complex 
monitoring requirements which were unacceptable for baseline ECLSS because the 
monitoring requirements could not be easily met with available techniques. 
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Evolutionary: Enable utilization of more advanced 

technologies while maintaining mon 


BENEFITS 


Our approach uses a model-based simulation capability to evaluate how each sensor 
rates with respect to several monitorability measures over the behavior space of the 
monitored system. These scores can then be used to evaluate a proposed sensor 
configuration. 

This sensor placement evaluation capability provides a number of benefits. First, 
this evaluation capability will aid designers in the sensor placement task by 
facilitating evaluation of alternative sensor placements. In particular, this 
capability would provide a quantitative measure of tradeoffs in sensor placements 
which previously have been viewed only subjectively. A second benefit is that 
quantification of sensor placement measures will aid in design documentation by 
allowing quantitative justification for sensor placements. Third, the automated 
evaluation capability will facilitate assessment of the impact of system design 
changes upon sensor placements. Finally, as a fourth benefit, this sensor placement 

evaluation capability can be used to aid in sensor power planning. When the utility 
of a sensor depends greatly upon the operating mode of the monitored device, it may 
be possible to reduce overall sensor power consumption by powering certain sensor 
suites only in limited operating modes. Because our approach measures the utility of 
sensors in each system operating mode, it can assist in sensor power planning. 
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Facilitates sensor power planning. 


MODEL-BASED APPROACH 


Our approach to sensor placement can be described generally as follows: 

1. Given nominal behavioral models of the system and a causal simulation capability, 
generate a behavior space for the system. 

2. Apply monitorability measures for sensitivity, cascading alarms, and potential 
damage to simulated system operation over these operating modes. 

3. Compute teleological analysis scores. 

4. Compute sensor placement recommendations as those with highest scores from the 
analyses. 
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MONITORABILITY MEASURES 


Our model-based reasoning approach to evaluating sensor placements uses four 
monitorability measures. Sensitivity Analysis suggests sensor placements which 
measure quantities which have the greatest impact upon the overall state of the 
system. Cascading Alarm Analysis suggests sensor placements which measure 
quantities whose changes have the potential to generate many alarms. Potential 
Damage Analysis suggests those sensor placements which measure quantities which 
are likely to cause permanent damage to devices in the system being monitored. 
Teleological Analysis suggests sensor placements which monitor quantities relevant 
to specified operational goals of the system. Our approach uses a model-based 
simulation capability to evaluate how each sensor rates with respect to each of these 
measures over the behavioral space of the monitored system. These scores can then 

be used to generate a proposed sensor set. 
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THE SSF ECLSS TESTBED AT MSFC 


Our sensor placement approach is being tested upon the water reclamation subsystem 
of the Environmental Control and Life Support System (ECLSS) for Space Station 
Freedom. A model describing the behavior of the multifiltration (MF) subsystem in 
terms of fluid flow and heat transfer has been constructed. This model was developed 
via a combination of study of design documentation (i.e. schematics, etc.) and 
consultation with domain experts (e.g. the operators of the testbed). This model has 
been validated by comparison against actual data from the subsystem testbed 
undergoing evaluation at the Marshall Space Flight Center (MSFC) in Huntsville, 
Alabama. We are in the process of extending our model to cover more of the ECLSS 
subsystems, including the air recycling subsystem. 
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THE MULTIFILTRATION SUBSYSTEM 


The ECLSS multifiltration (MF) subsystem consists of two parts — the sterilization loop 

and the unibed assembly. In this subsystem, the water first passes through a pump at 
the inlet to the system. Next, the water passes through a coarse filter before entering 

the sterilization loop. In the sterilization loop the water is heated in the regenerative 
heat exchanger and then by the in-line heater. The in-line heater has only a coarse 

temperature control and thus the water temperature here may differ by as much as 
10° F from the goal of 250° F. Within the sterilizer reservoir, the temperature of the 
water is maintained more accurately at 250°F for about 9 minutes. In the second 
portion of the subsystem, the water passes through a set of unibed filters designed to 
remove particulate contaminants from the water. Possible sensor types are flow rate, 

water pressure, and temperature. Possible sensor locations are indicated in by ovals. 

Specified operational goals are: 

1. maintain processed water at 250°F in sterilizer reservoir for 9 minutes; and 

2. maintain water flow through the unibed of at least 15 mL/minute. 
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SENSITIVITY ANALYSIS 

Sensitivity Analysis measures the sensitivity of other quantities in the monitored 
system to changes in a given quantity. This measure depends upon information 
about "normal" magnitudes of change for the devices in question. For each normal 
operating mode of the system, the following procedure is followed. For each quantity 
Q e MonitorableQuantities (the set of all monitorable quantities in the model), 
determine nominal operating values and alarm ranges. Next compute a normalized 
change increase AQ+ and decrease AQ- as the average amount of change between 
updates for that operating mode. Next, for each quantity Q, beginning with an initial 
state where all devices/sensors are at nominal operating values, simulate a change 
AQ in Q, propagating this change to other quantities in AllQuantities (the set of all 
quantities in the model), as dictated by the model. For each such changed quantity Q' 

€ AllQuantities, for each time the quantity changes during the simulation, collect a 
sensitivity score proportional to the amount of change in Q' from its normal value 
Q'nominal relative to alarm thresholds but also modified by a decreasing function of 
time 1 . This calculation captures the notion that delayed and less direct effects are 
more likely to be controllable and less likely to occur. Thus, a change which affects a 
quantity Q' but occurs slowly is considered less important. This simulation proceeds 
for a preset amount of simulated time. Then, for each changed quantity Q', take the 
maximum of the collected change score for that quantity. The sensitivity score for Q 
is the sum of these maximums for all the Q's. Thus, for each quantity Q, a simulated 
change produces a set of changescores for other quantities in the model. The 
sensitivity score for Q is the sum of the respective maximums of each of these sets^. 
The computation of the sensitivity scores is shown below. 

Simulate a change AQ+ or AQ- to Q beginning at time 0 and continuing to time AT (a 
user-supplied default). 

For each change to a quantity Q’ occurring at time T C hange< compute a change 
score as follows. 

let Q'new be the new value for Q’ 

IQ'new ■ Q’nominal! (AT - T c hange) 

changescore(Q') = • 

IQ alarm * Q'nominal! AT 

add this changescore to the set of collected changescores for Q' 

let MaxChangeScore(Q') = the maximum of the set of collected changescores for Q' 

let sensitivity(Q) = ^ MaxChangeScore(Q') 

Q'e AllQuantities 

The overall sensitivity score for Q is then computed by summing the sensitivity 
scores for AQ+ and AQ- weighted by relative frequency of increase vs. decrease for Q. 


1 This can be viewed as an average dQ'/dQ modified by a decreasing function of time elapsed and 
normalized for the alarm threshold for Q'. 

^Quantities which do not change when Q is changed produce an empty set of changescores. We 
define the maximum of this empty set as 0 for the purpose of the sensitivity summation. 
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identify those sensors which, when undergoing change, 
result in the greatest global change within the system 


SENSITIVITY RECOMMENDATIONS 


Sensitivity Analysis suggests the specific placement of 
relief valve at point 7. This is because the relief valve 
pressure at point 7 is above 40 psig, the relief valve will 
the system behavior. The opening of the relief valve 
significant pressure loss, as well as significantly affecting 


a pressure sensor near the 
is pressure controlled; if the 
open and drastically change 
would cause an immediate 
flow in the MF subsystem. 
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recommend pressure sensor at point 7 because 
pressure there affects the operation of the relief valve, 
which significantly affects overall system operation 



CASCADING ALARMS ANALYSIS 


Cascading alarms analysis measures the potential for change in a single quantity to 

cause a large number of alarm states to occur, thus causing information overload and 
confusion for operators. As with sensitivity analysis, cascading alarms analysis is 

performed for each operating mode of the monitored system. For a standardized 
amount of increase and decrease for each monitorable quantity Q, the effects of such 
a change are propagated throughout the system and the number of triggered alarms 
is counted. This standardized amount of change is different from the measure used in 
the sensitivity analysis as normal changes are not likely to produce cascading alarm 
patterns. The alarm count is then normalized for the total number of possible alarms. 

The weight of each alarm state triggered is also decreased as a function of the time 

delay from the initial change event to the alarm. This has the effect of focusing this 
measure on quickly developing cascading alarm sequences which are the most 
difficult to interpret and diagnose. The computation of cascading alarms scores is 
shown below. 

Simulate a change AQ+ or AQ- to Q beginning at time 0 and continuing to time AT (a 
user-supplied default) where AQ+ and AQ- are functions of the distance between the 
nominal value for Q and the alarm value for Q in the increasing and decreasing 
directions respectively 


]jjr InAlarm(Q') 

Q'e all quantities 

let CascadingAlarm(Q) = 

number of quantities Q' 

where InAlarm(Q') = (AT - T a i arm )/AT 

if Q' entered an alarm range during the simulation 
and T a ] arm is the earliest time Q' was in an alarm range 
and 


InAlarm(Q') = 0 

if Q’ did not enter an alarm range during the simulation. 
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identify those sensors which, when in alarm, have the greatest 
potential to create alarm states elsewhere in the system 


CASCADING ALARMS RECOMMENDATIONS 


Cascading alarms analysis suggests placement of flow rate sensors because 
significant perturbations in flow rate can cause cascading temperature and pressure 
alarms. 


Advanced Development Program 



recommend flow sensor at point 2 because anomalous flow 
can cause cascading pressure and temperature alarms 



POTENTIAL DAMAGE ANALYSIS 


Another measure is potential damage analysis, which is computed in two parts — 

predictive potential damage and potential damage detection. Predictive potential 

damage measures the capability of a sensor to predict damage to devices in the * 

system. For each device and quantity associated with that device, there is an 

associated operating range which is judged to be harmful to the device. Predictive 

potential damage analysis is performed by simulating a change in each monitorable 

quantity Q and scoring upon the basis of how many devices will enter harmful 

ranges due to the change in Q. Predictive potential damage analysis scores are • 

moderated by the number of control points which may interdict the damage. For the 

causal path leading to the damaged device, for each mechanism (arc in the causal 

graph) which can be influenced by a controllable parameter, the potential damage 

score is reduced. The potential damage measure depends more critically upon 

domain-specific information beyond the schematic, as many of the potential damage 

scenarios involve device or subsystem interactions. The computation of potential 

damage scores is shown below. 

Simulate a change AQ+ or AQ- to Q beginning at time 0 and continuing to time AT (a 
user-supplied default). 

let PotentialDamagePredict(Q) = ^ Damaged?(Q') 

Q'e all quantities 


where (AT - T a i arm ) 

Damaged?(Q’) = 

AT x (control + 1) 

if Q' entered a damaging range during the simulation where T a i arm is 
the earliest time Q' was in a damage range and control is the number of 
control points in the causal chain leading to the damaging quantity 
value and 

Damaged?(Q') = 0 

if Q' did not enter a damage range during the simulation. 

The second part of potential damage analysis is damage detection. In this measure, 
the model is used to simulate devices in the system entering damaging operating 
modes, and potential sensors are scored upon the basis of how much they change (in 
the same manner as the sensitivity analysis). Damage detection analysis is 
performed by propagating a change resulting in a device entering a damaging 
range, and measuring the resulting change in other sensors as in sensitivity 
analysis. Those sensors which change more significantly to indicate the damaging 
device state are scored higher by the damage detection analysis. Let AQ'+ or AQ'- be 
changes sufficient to cause Q' to enter a device damaging range. Simulate a change 
AQ'+ or AQ'- to Q' beginning at time 0 and continuing to time AT (a user-supplied 
default). 

let PotcntialDamageDetect(Q) = ^ Changescore(Q) 

Q'e all quantities 
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identify those sensors which predict or inform 
of permanent damage to the system 


POTENTIAL DAMAGE RECOMMENDATIONS 


Potential Damage Detection Analysis suggests placing a temperature sensor a 
If the in-line heater overheats, it could cause the water flowing through to 
to an unacceptably higher temperature than normal. 


point 4. 
be raised 
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recommends temperature sensor at point 4 
to detect a damaging overheating of the 
in-line heater immediately upstream 




TELEOLOGICAL ANALYSIS 


The final measure is teleological analysis, which does not use the model-based 

simulation capability. Instead, teleological analysis directly examines mechanism 
dependencies in the causal graph to produce a sensor placement score. 

Teleological analysis suggests measurements of quantities which provide the most 

direct feedback on operational goals of the system being monitored. In this measure, 
those quantities directly mentioned in the operational specifications of the system 
are scored highest, those quantities directly influencing these quantities are scored 

next highest, etc. The exact computation of the teleological measure involves 

backtracing the causal graph. Directly monitorable quantities appearing in the goal 

description receive a score of 1. For each mechanism affecting the goal quantity, a 

teleology score inversely proportional to the number of such mechanisms is divided 
equally among the inputs to the mechanism. Thus, if there are m mechanisms 

affecting a goal quantity, and one of these mechanisms has n inputs, each such input 
receives a score 1/m n . Note that multiple independent causal influence paths 
combine additively. While this process proceeds recursively for mechanisms 

potentially influencing the inputs to the given mechanism, each level is multiplied 
by 1 /d where d is the number of mechanisms (arcs in the causal graph) distant from 

the goal quantity. 
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identify those sensors which correspond to quantities 
most directly related to operational goals of the system 


TELEOLOGICAL RECOMMENDATIONS 


Teleological Analysis suggests placing flow rate sensors at point 8 to verify the flow 
of water through the unibeds as the flow rate is directly mentioned in the 

operational goal specification. Teleological Analysis also scores highly a flow rate 

sensor in the sterilizer reservoir (point 5), as this quantity determines the time spent 
by the water in the sterilizer reservoir. Finally, Teleological Analysis suggests 
placement of a temperature sensor for the sterilizer reservoir (point 5), as this 

quantity appears in the operational goal specification of the system. 


Advanced Development Program 



j 

a 

I 



1345 


recommends temperature and flow sensor at point 5 
because of the temperature and time goals of the 
sterilizer reservoir; recommends a flow sensor at point 8 
because of the unibed flow goal 



COLLABORATION 


JPL and MSFC personnel are collaborating in the ECLSS Predictive Monitoring Task. 
JPL personnel are developing information quantification and model -based reasoning 
techniques applicable to both sensor placement for monitorability and sensor 
selection in monitoring. In support of these goals, MSFC personnel are assisting by 
providing technical expertise to support the construction of models of ECLSS 
subsystems. Additionally, MSFC personnel are providing ECLSS testbed data to be used 
in testing the sensor placement and sensor selection software being developed at JPL. 
As results from this testing become available, they are made available to MSFC 
personnel who provide feedback on the value and accuracy of sensor placement and 
sensor selection recommendations. This feedback is used to refine the methods and 
software being developed at JPL. 
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feedback from 
domain experts 
on sensor 
recommendations 
for ECLSS 


SCHEDULE 


The first users of the sensor placement evaluation and generation capabilities 
developed in this task will be the MSFC ECLSS design team led by Environmental 
Control and Life Support Branch Chief K. Mitchell. 

FY91: The design for the sensor placement evaluation tool based on four 

monitorability measures has been completed. A proof-of-concept^ demonstration 
will be completed for the SSF ECLSS MF subsystem. Causal modelling efforts have 
been targeted for the water reclamation subsystem of ECLSS. 

FY92: The proof-of-concept sensor placement tool based on monitorability measures 

will be extended to a functional prototype system. This full-capability system will be 
available for evaluating proposed baseline ECLSS sensor configurations. Although 
the delivery date for this system will miss the POST milestone for the air side of ECLSS, 
it will precede the POST milestone for the water side of ECLSS by 6 months, the POST 
milestone for integrated ECLSS subsystems by 12 months, and the first BOST deadline 
for ECLSS (air side) by ~18 months. Also, in FY92, a design and proof-of-concept 
demonstration for a sensor placement evaluation tool based on diagnosability 
measures will be completed. Causal modelling efforts on the water reclamation 

subsystem of ECLSS will be completed and modelling efforts on the air recycling 
subsystem will be initiated. A design for a sensor placement generation tool also will 
be developed. 

FY93: The functional prototype sensor placement tool based on monitorability 

measures will be extended to a pilot system. The proof-of-concept sensor placement 
tool based on diagnosability measures will be extended to a functional prototype 
system. This full-capability system will be available for evaluating proposed baseline 
ECLSS sensor configurations. Although the delivery date for this system will miss the 
POST milestone for the air side of ECLSS and coincide with the POST milestone for the 
water side of ECLSS, it will precede the POST milestone for integrated ECLSS 
subsystems by 6 months, and the first BOST deadline for ECLSS (air side) by -12 
months. Also in FY93, causal modelling efforts on the air recycling subsystem will be 
completed. A proof-of-concept demonstration for a sensor placement generation tool 

will be completed. 

FY94 & FY95: The functional prototype sensor placement tool based on diagnosability 

measures will be extended to a pilot system. Both pilot sensor placement evaluation 
tools will be available for evaluating monitoring and diagnosis requirements for 
advanced life support technologies for evolutionary SSF. The proof-of-concept 
system for a sensor placement generation tool will be extended to a functional 
prototype system. Sensor configurations obtained with this software tool will be 
available for evaluation. In FY95, the functional prototype system for a sensor 
placement generation tool will be extended to a pilot system. 


^ A proof-of-concept (POC) system is one which works correctly on a specific example or set of 
examples but is not designed to be robust and extendable. A functional prototype system is one 
which provides full capability, is robust and extendable, and is delivered both for actual use and 
for rigorous testing and evaluation in a real setting. A pilot system is one which has been refined 
through feedback provided on the functional prototype system and is delivered for general use 
with stated and frozen design specifications. 
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SUMMARY 


The trend for many years as space platforms have become more complex has been to 

oversense these systems, to anticipate unforeseen fault modes and sensor failures. * 

However, this strategy becomes untenable when the amount of sensor data becomes 

too great for operators to assimilate and interpret, and when the cost, launch weight, 

and power consumption of too many sensors becomes unacceptable. 

On Space Station Freedom (SSF), design iterations have made clear the need to 
keep the sensor complement small. Along with the unprecedented duration of the * 

mission, it is imperative that decisions regarding placement of sensors be carefully 
examined and justified during the design phase. 

In the ECLSS Predictive Monitoring task, we are developing AI -based software 

to enable design engineers to evaluate alternate sensor configurations. Based on 
techniques from model-based reasoning and information theory, the software tool 
makes explicit the quantitative tradeoffs among competing sensor placements, and 

helps designers explore and justify placement decisions. This work is being applied 

to the Environmental Control and Life Support System (ECLSS) testbed at MSFC to 
assist design personnel in placing sensors for test purposes to evaluate baseline 

configurations and ultimately to select advanced life support system technologies for 
evolutionary SSF. 
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ECLSS sensor configurations. 

• Will be applied to ensure monitorability of advanced life 
support technologies for evolutionary SSF. 


